For half a year, threat actors have been abusing Cloudflare Tunnels to deliver various remote access trojan (RAT) families, Proofpoint reports.
Starting February 2024, the attackers have been abusing the TryCloudflare feature to create one-time tunnels without an account, leveraging them for the distribution of AsyncRAT, GuLoader, Remcos, VenomRAT, and Xworm.
Like VPNs, these Cloudflare tunnels offer a way to remotely access external resources. As part of the observed attacks, threat actors deliver phishing messages containing a URL – or an attachment leading to a URL – that establishes a tunnel connection to an external share.
Once the link is accessed, a first-stage payload is downloaded and a multi-stage infection chain leading to malware installation begins.
“Some campaigns will lead to multiple different malware payloads, with each unique Python script leading to the installation of a different malware,” Proofpoint says.
As part of the attacks, the threat actors used English, French, German, and Spanish lures, typically business-relevant topics such as document requests, invoices, deliveries, and taxes.
“Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally,” Proofpoint notes.
The cybersecurity firm also points out that, while different parts of the attack chain have been modified to improve sophistication and defense evasion, consistent tactics, techniques, and procedures (TTPs) have been used throughout the campaigns, suggesting that a single threat actor is responsible for the attacks. However, the activity has not been attributed to a specific threat actor.
“The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner. This makes it harder for defenders and traditional security measures such as relying on static blocklists,” Proofpoint notes.
Since 2023, multiple adversaries have been observed abusing TryCloudflare tunnels in their malicious campaign, and the technique is gaining popularity, Proofpoint also says.
Last year, attackers were seen abusing TryCloudflare in a LabRat malware distribution campaign, for command-and-control (C&C) infrastructure obfuscation.
Related: Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft
Related: Network of 3,000 GitHub Accounts Used for Malware Distribution
Related: Threat Detection Report: Cloud Attacks Soar, Mac Threats and Malvertising Escalate
Related: Microsoft Warns Accounting, Tax Return Preparation Firms of Remcos RAT Attacks
